FORGET PASSWORD RESET VIA EMAIL LINK

chandachewe10

Creating a functionality of resetting a forgotten password when the Admin is trying to login but has forgotten the password.

Adding a forget password button on login page which will then redirect the user to a new page where they will have to enter their email address. An expiry reset password link will be sent to their email address where they will have to click on the link before the link expires. If the link expires they will be told that the token is invalid and have to request a new password request otherwise they will proceed to change the password. Is the PR OK or its already in the process?

wrongecho

Hey there,

Thanks for raising this.

Due to the way the logins in the database are encrypted, password resetting for admins is tricky and can only be done by other admins that have access to the decryption key (via their authenticated session).

The alternative was to leave the encryption key sitting in plaintext on the server/database, which would mean that the encryption was basically pointless.

chandachewe10

wrongecho thanks noted, so just some enlightenment on how the login architecture is structured in the system, so I was going through the codes specifically in setup.php, functions.php and login.php. Here is my understanding, you will correct me where necessary:

So during the initial installation a user is created and the password of the that user is hashed using BCRYPT and is stored is the database right?
Then a master key is created which you don't store in the database, hence it is neither here nor there.
The same master key is then encrypted using the hashed password of the user and is then stored in the database as the user specific key.
So when a user attempts to login you compare the users input password with the hashed user password in the database and if it matches then you create some sessions and you later decrypt the user specific key from the database to get the original master key.
The master key is then further encrypted to create a session key which is then stored as a cookie acrosss all pages in the browser.
So how does the session key in the browsers cookies used and its role in protecting the logged in authenticated user? Do you create some tokens behind the scenes which you then compare with the session key in the browser cookies? All I can see is that the session key is stored in the browser cookie but I can't see the codes which are showing how those cookies of the session key are been used.

johnny

Hello chandachewe10 You nailed it. but the Decrypted master key for the session is used to decrypt the password field under client passwords / logins and any other future fields we want to to encrypt in the database.

chandachewe10

I haven't seen a forgot password functionality on login. What if the super admin forgets his/her password?

Why this Feature is Important

Password Recovery: People often have numerous online accounts with different passwords. It's easy to forget or mix up passwords, especially if they are complex for security reasons. The "Forgot Password" feature will allow users to regain access to their accounts without having to go through complicated manual verification processes.
Security: If users are unable to recover their passwords, they might resort to using weaker passwords, writing them down, or using the same password across multiple platforms. This increases the risk of security breaches, as weak or reused passwords are easier for malicious actors to guess or crack.

wrongecho

From your post history:

https://forum.itflow.org/d/76-forget-password-reset-via-email-link/

wrongecho

Merged in duplicate discussion from same community member